Hopefully not this point. You're able to conceptualize just how important being able to demonstrate having proper cyber hygiene
will dramatically impact business risk,
if for no other reason than just the legal considerations.
But how can you potentially motivate preemptive action? One of the things you may want consider is how can you financially incentivize,
applying better practices.
So now let's talk about the total cause of ownership versus return on investment.
So the old adage goes, you cannot put in a return on investment on cyber security.
Leave all of her this for years, right? So let's talk about what return on investment even is. Simply put, it's a formula
to measure the cost of an investment
versus the gains from that same investment.
Have you ever heard a pitch from a security vendor
boasting about how they're appliance or software will dramatically improve your operational capabilities through automation? Ever stop to think if you spend $100,000 on a product,
at what point do you even break even? Wouldn't it be great if you can demonstrate to your senior leaders if you spent $100,000
At what point would you be able to break even
The point is, is no longer just throwing money at security for the sake of throwing money at security.
Now you're able to try to accomplish what the board wants you to take into consideration
by being prudent with your investments.
Okay, so before we go any further,
my professional observation. Is that why you may not be able to show a return on investment for cyber security?
You most certainly can show a reduction
in the total cost of ownership. You have a dizzying intellect.
Wait till I get going.
Leveraging the same premise that inventor is trying to sell you on a product or service.
Let's use sis log monitoring as an example
for those of you that have never done manual system log reviews
cream. It's like watching the paint dry.
It's exceptionally tedious.
It requires very detailed knowledge about the system in question.
And when you couple that with how boring this activity is,
trust me, I don't wish that job description of anybody.
And as many of you know, lots of companies were out there that don't even bother to hire individuals like us,
they would rather fourth E i t guys to wear multiple hats, one of which is security,
also forcing them to do things like firewall reviews,
identification and authentication reviews.
always present and ever challenging
Hatch Management each month. Who is the time or the money to automate or outsource unless you are really big company?
So the for Excuse me for the purpose of this scenario,
let's say that this company is located in Atlanta. Let's also say they have a security administrator
now. I just pulled this from salary dot com
to give you an idea of what a median cellar it looks like.
So if we shoot for the middle of the road salary, the cost is about $84,000.
When we break this down, we have a burn rate of a little over $40 per hour.
this is only an hourly without benefits,
being factored or otherwise to find as a fully loaded rate.
so now we have the hourly rate.
We can use this hourly rate as part of a new equation.
The $40.36 which is the burn for man hour
multiplied by the number of hours to do. A manual review of the cyst logs, firewalls, patch management, et cetera,
multiplied by the number of months in any given year
gives us a value of $19,372 change.
So this is the new barrier that should either be
so we know in this particular scenario, the cost to beat is a little over $19,000.
So let's say for this scenario you're being given a quote to outsource all that to a man Security Service's provider. And that quote is only 15,000 per year.
The delta between the 15,000 in the 19 and changes a little over $4000 a year. That's quite a significant reduction in your total cost of ownership, however, what the quotas higher
if you have a higher total cost of ownership, does that mean that you simply say no? We're just gonna stick with what we're currently doing?
There are other factors to consider.
What are the costs of incident, response and disaster recovery,
whether the costs of legal defense costs, a breach, notifications
and cost of credit monitoring if applicable. Big question. Do you have saber insurance?
Who in how do they plan on paying for all these activities
in the event of a cyber breach?